for any security concerns regarding phishing, hoax emails or phone calls relating to the Register.

This is a free call within NZ (overseas callers can use +64 4 918 3502 – note that normal phone charges apply).

For all other enquiries, please call 0800 CLIMATE (0800 254 628) during business hours, this is a free call
within NZ. Overseas callers can use +64 3 962 2708, (normal phone charges apply).

Our business hours and full contact details are available on our Contact us page.

Important information we think you should know in order to protect yourself online and to assist us in the protection of your assets and information.

Your RealMe username and password are for your use only.

The EPA will never ask you for your RealMe password. Never tell anyone your password including people at our contact centre, the EPA or any government representatives.

You can view your last login details (date and time) which show when your account in the Register was last used. This will
ensure that you know your account has not been compromised.

Phishing is where people contact you as part of a scam; often by email, phone, or by directing you to a phoney website to obtain financial or
personal identity information.

We will never contact you asking for your password or provide you with a link to another website that asks you to verify your password.

If you receive an email asking for your password, do not respond to the email or click on the link and please contact us immediately on our Suspicious Activity
Line 0800 387 4688 (overseas callers can use +64 4 918 3502) to report the matter. If you believe that someone may have seen you typing in your password
we advise you to change it.

The EPA ask you to protect yourself and the integrity and security of the Register and we recommend that you:

Choose a quality password which contains strong content. For general guidelines on password content please refer to our “Do’s and Don’ts”
general password guidelines section below.

Supply an email address for Register correspondence that you do not share with other people.

Ensure the use of up to date anti-virus software on your computer and mobile devices such as mobile laptops, tablets such as Apple iPads
(and where available on your mobile phone).

Run regular scans for viruses, use licensed approved software

Use the lock password / passcode required function on your computer or mobile device when not in use.

Be aware of people around you when you are entering your username and password details and make efforts to conceal what you are entering especially in public areas.

Recommendations for those who receive transaction authorisation codes on your mobile phone or if you use your mobile phone to access the internet and your email:

Where possible use a complex code rather than a default 4 digit passcode.

Avoid changing security details such as passwords in public places and avoid leaving mobile devices unattended.

Check for approved manufacturer operating system updates to fix security issues and apply them when available.

Don’t use public Wi-Fi spots that do not require a password when using any secure web services

Do not use mobile devices such as laptops, tablets and phones which have been modified to bypass the manufacturer protection measures.

These manufacturer protections are there to restrict access, limiting what can be installed and modified on the device, such as applications and malicious
software (malware). We advise the use of approved software only.

(For Apple iOS devices bypassing manufacturer protections is known as “jailbreaking” and by other names for androids).

If you receive transaction authorisation code text messages must notify the EPA as soon as possible:

if you change your mobile phone number

if you lose your mobile phone

If you receive notifications and transaction authorisation codes by email you must notify the EPA if you change your email address.

Email addresses

The email address that you must supply when you become a user of the Register:

should be one that you do not share with others

must be a valid email address

must be unique as it can only be associated with one username in the Register.

What we do

The EPA have process and system controls in place to help protect the security and integrity of the Register, your assets and personal information.

The EPA strives to provide as much protection as possible by regularly reviewing and updating our security and technology.

No data transmitted over the internet can be guaranteed to be absolutely secure, as there are always new vulnerabilities being identified.

The EPA use security certificates (issued by VeriSign) to protect you when you login to use the Register. The displaying of this certificate
assures you that the EPA are a legitimate site and that data between your computer and our site is secure as it can be.

You will notice, when using the Register, that the address in your address bar changes from http to https and you should see a
padlock in the address bar. When you click on the padlock it shows you the certificate information for the Register.

If you ever connect to the Register logon page and you cannot see evidence that it is an https session
(it is not showing our certificate and the padlock) please contact us.

The EPA also use additional security measures to process certain transactions to keep your information and units secure.

The Climate Change Response Act 2002 (CCRA) gives the EPA the power for protecting the integrity and security of the Register. The EPA may suspend
part of or the entire operation of the Register to ensure the security or integrity of the Register, or for other reasons specified in section 13 of the Climate Change Response Act 2002.

The Do’s – general guidelines for stronger password content

The following contains general information about passwords. No password is absolutely 100% safe, but you can help make it secure as possible by following the advice below.

Choose quality passwords that contain a combination of at least one character from all three of the following character sets:

uppercase alpha (A-Z)

lowercase alpha characters (a-z)

numeric (0-9) or special characters/punctuation (!@#$%^&*).

Passwords should be memorable, but complex enough so that they are difficult to guess if someone knows details about you: Rather than just using a name or a single dictionary
word, one common method is to make up your password content by using a phrase and including a combination of characters.

It is recommended that passwords be at least 10 characters in length or longer: A longer password that uses a combination of characters helps
secure against attacks and password guessing.

Websites and systems should have checks in place to enforce that you to use a quality password as shown above and restrict you from reusing passwords: You should
use a quality password you have not used before, even if you are not prompted to.

The Don’ts – general basic guidelines for password protection and content.

Do not use a word that is in the dictionary as your password for any system: A combination or more random password format is a
lot more secure than common words even with a number.

Do not use repeated, consecutive or adjacent characters such as “999999999”, “12345678”, “abcdefgh” or “qwertyuio”:
These are examples of easy combinations that people will try when guessing passwords.

Do not use the same base password with a number at the end and only change the number e.g. thisone01, thisone02: If someone obtained your base password,
they may be able to guess your current password by guessing what the current number is.

Do not use the same password for multiple sites and services: If someone did guess your password for one system, they would then know
your passwords for any system using that password.
For example: don’t use the same password for your internet banking and your email.

Do not use passwords that include details people may know about you or family such as:

dates of birth

family names

street addresses

pet names

passport numbers

driver licence numbers

Passwords should be memorable, but complex enough so that they are not easily guessable by someone that knows details about you.

Do not use inappropriate password content: There are certain words a lot of sites will prevent you from using in your password content.

Do not write your passwords down and have them next to your computer: If you are one of the people who have to write passwords down,
store it securely away from your computer or mobile device. Do not store a username and password together.

Passwords should also not be saved in your internet browser: Other people could gain access without needing to know the password.

Do not type passwords into a document and save them on your computer or mobile device: Other people could gain access to the contents of the file.

Some of the anti-virus software companies now also supply tools and applications for generating and storing passwords more securely on your computer.
Make sure they are from reputable sites and beware of downloading and using free products from unknown sources.